Traditional computing devices are only designed to run a single operating system, but virtualization may allow a single computer to run multiple operating systems at the same time. Virtualization may also provide many other features that optimize the use of computer and network resources. As the popularity of virtualization grows, so does the need to account for and manage virtual machines in network environments.
Virtualized environments may present challenges to many security mechanisms, especially those that may make assumptions about the atomicity of a particular host. While security infrastructures may use end-point enforcement (e.g., data loss prevention, behavior monitoring, etc.) to limit what can be done on the host, security infrastructures may not be designed to effectively control the use of virtualization technologies. Host system policies may be difficult to apply to virtual machines. In some situations, a virtual machine may be treated as a single process. The virtual machine may appear compliant from an external perspective, but may not be compliant internally.
When a host operates in a mode where the host system and a virtual machine running on the host act as completely separate network endpoints (e.g., in a bridged configuration), network access control may be applied to the host and virtual machine independently. However, if the virtual machine accesses the network in other ways, network access control may be ineffective with respect to the virtual machine. For example, the host may proxy the virtual machine's access to a network. If the host has already been authenticated and passed network access control inspection, network traffic may be allowed from the virtual machine running on the host regardless of the configuration of the virtual machine. As a result, a non-compliant virtual machine may bypass network access control restrictions and may compromise network security.